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" The MAILING DATE of this communication appears on the cover sheet with the correspondence address 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

• If the period for reply specified above Is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days v^ll be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 

• Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )^ Responsive to communication(s) filed on 05 April 2004 . 
2a)K This action is FINAL. 2b)[3 This action is non-final. 

3) 0 Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11 , 453 O.G. 213. 
Disposition of Claims 

4) ^ Claim{s) 1-36 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) ^ Claim{s) 1-36 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10)0 The drawing(s) filed on is/are: a)D accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
1 !)□ The proposed drawing correction filed on is: a)n approved b)n disapproved by the Examiner. 

If approved, corrected drawings are required in reply to this Office action. 

12) n The oath or declaration is objected to by the Examiner. 
Priority under 35 U.S.C. §§119 and 120 

13) 0 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19{a)-(d) or (f). 

a)nAII b)n Some*c)n None of: 

1 .Q Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

14) 0 Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 11 9(e) (to a provisional application). 

a) □ The translation of the foreign language provisional application has been received. 

15) 0 Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121 . 
Attachment(s) 

1) □ Notice of References Cited (PTO-892) 4) □ Inten^iew Sumniary (PTO-413) Paper No(s). , 

2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) 5) □ Notice of Infonnal Patent Application (PTO-152) 

3) □ Infonmation Disclosure Statement(s) (PTO-1449) Paper No(s) . 6) □ Other: 
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Response to Amendment 



This is in response to an amendment file on April 5 , 2004 for letter for patent filed on 
January 5'^, 2001 in which claims 1-36 were presented for examination. In the amendment, 
claims 1, 6, 1 1, 16, 27 and 32 have been amended, no claim has been canceled, and no claim has 
been added. Claims 1-36 remain pending in the letter. 



1 . Applicant's arguments with respect to claims 1-36 have been considered but are moot in 
view of the new ground(s) of rejection. 



2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 



3. Claims 1-36 are rejected under 35 U.S.C. 103(a) as being unpatentable over Rowney et al 
(U.S. Patent No. 5,996,076) in view of Patel (US PG Pub No. 2002/0004900) 



Response to Arguments 



Claim Rejections - 35 USC §103 



4. As per claims 1, 6, 1 1, 16, 27 and 32, Rowney et al teach a computerized method having 
a process flow operating over a computer network comprising a plurality of interconnected 
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computers and a plurality of resources, each computer including a processor, memory and 
input/output devices, each resource operatively coupled to at least one of the computers and 
executing at least one of the activities in the process flow, the method comprising extracting 
verifiable role certificates fi-om said electronic authorization; and verifying whether role 
certificates, associated with the authorization, are themselves authentic (see fig IQ 4, 12 A, 12B, 
J5B, 16, 26, 30, 35, column 15 lines 10-16 line 33, 17 lines 8-18 line 34). Rowney et al fail to 
teach an inventive concept of an electronic representation of the transaction and at least one 
verifiable anonymous role certificate for each role for which approval is required to be 
completed to obtain authorization of the transaction. However, Patel teach an inventive concept 
of an electronic representation of the transaction and at least one verifiable anonymous role 
certificate for each role for which approval is required to be completed to obtain authorization of 
the transaction {see abstract, paragraph 0011). Therefore, it would have been obvious to one of 
ordinary skill in the art at the time the invention was made to modify the inventive concept of 
Rowney et al to include Patel' s electronic representation of the transaction and at least one 
verifiable anonymous role certificate for each role for which approval is required to be 
completed to obtain authorization of the transaction because this would have been desirable to 
use digital signature and certificate mechanisms to encode industry-wide security policy and 
authorization information into the signatures and certificates in order to permit the verifier of a 
signature to decide whether to accept the signature or certificate as valid, thus accommodating 
and easing electronic commerce business transactions. 
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5. As per claims 2, 7, 12, 17, 28 and 33, Rowney et al teach a computerized method wherein 
roles associated with the role certificates are hashed and compared with hashed roles in a 
database of hashed roles {see fig IC, 4, 12A, 12B, I5B, 16, 26, 30, 35, column 15 lines 10-16 line 
33, 17 lines 8-18 line 34). 

6. As per claims 3, 8, 13, 1 8, 29 and 34, Rowney et al teach a computerized method wherein 
the authorization is further insured by verifying that role certificates associated with the 
authorization correspond with roles in a permission set of roles of an authorization structure, the 
role certificates of which being required to authorize the transaction {see fig IC, 4, 12 A, 12B, 
15B, 16, 26, 30, 35, column 15 lines 10-16 line 33, 17 lines 8-18 line 34). 

7. As per claims 4, 9, 14, 19, 30 and 35, Rowney et al teach a computerized method wherein 
the authorization structure is an authorization tree {see fig IC, 4, 12A, 12B, 15B, 16, 26, 30, 35, 
column 15 lines 10-16 line 33, 17 lines 8-18 line 34). 

8. As per claims 5, 10, 15, 20, 31 and 36, Rowney et al teach a computerized method 
wherein the roles are extracted fi-om the role certificates associated with the transaction, each 
extracted role being hashed and these hashed roles being concatenated and hashed again, and 
then concatenated with hashes of other permission sets, if any, according to the authorization 
structure and hashed once again, resulting in a computed hash value which may be compared to 
that which was signed by the Transaction Administrator, a match indicating that the transaction 
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is authorized (see fig IQ 4, 12A, 12B, 15B, 16, 26, 30, 35, column 15 lines 10-16 line 33, 17 
lines 8-18 line 34). 

9. As per claims 21 and 24, Rowney et al teach a Transaction Authorization Method 
encoded on a computer readable medium, the method having the following steps receiving a 
request for a transaction, obtaining an electronic representation of a document having details of 
the transaction from a Digital Document Database returning the transaction details to the 
requester awaiting and receiving from the requester the completed representation, signed by the 
requester requesting the Authorization Structure for the transaction from the Authorization 
Structure Database, the Authorization Structure being pre-signed with a signature by the 
Transaction Administrator and verifying the signature, and choosing a permission set of role 
names and user members of the permission set to contact to sign in these role names forwarding 
details of the transaction request with the signature of the requester to others having roles 
corresponding to the chosen permission set and collecting signatures of each role indicated in the 
permission set, requesting role certificates from the Role Certificate Database and signatures for 
each member of the permission set and encoding the same on the document; and forwarding the 
completed electronic document including the signatures and role certificates to the requester, the 
document including authorization details required in order to confirm the validity of the 
transaction {see fig IC, 4, 12A, 12B, 15B, 16, 26, 30, 35, column 15 lines 10-16 line 33, 1 7 lines 
8-18 line 34). Rowney et al fail to teach an inventive concept of obtaining the role certificate 
signed with a signature by a Transaction Administrator from a Role Certificate Database and 
verifying the signature. However, Patel teach an inventive concept of obtaining the role 
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certificate signed with a signatxire by a Transaction Administrator fi-om a Role Certificate 
Database and verifying the signature, {see abstract, paragraph 0011). Therefore, it would have 
been obvious to one of ordinary skill in the art at the time the invention was made to modify the 
inventive concept of Rowney et al to include Patel's electronic representation of obtaining the 
role certificate signed with a signature by a Transaction Administrator fi-om a Role Certificate 
Database and verifying the signature, because this would have been desirable to use digital 
signature and certificate mechanisms to encode industry-wide security policy and authorization 
information into the signatures and certificates in order to permit the verifier of a signature to 
decide whether to accept the signatxire or certificate as valid, thus accommodating and easing 
electronic commerce business transactions. 

10. As per claims 22 and 25, Rowney et al teach a Transaction Authorization Method 
wherein the role certificates and the Authorization Structure consist of hashed information about 
permission sets and roles, such hashed information substituting for the unhashed role certificates 
and permission sets {see fig IQ 4, 12A, 12B, 15B, 16, 26, 30, 35, column 15 lines 10-16 line 33, 
17 lines 8-18 line 34), 

11. As per claims 23 and 26, Rowney et al teach a Transaction Verification Method encoded 
on a computer readable medium, the method having the following, using a verification key of the 
Role Authority to check each certificate on the document, in the following manner, checking the 
signatures on the transaction details using the verification keys in the supplied role certificates 
extracting the named roles fi-om the role certificates hashing the roles using a hash-of-hashes 
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process, checking the computed hash value of the transaction against that was originally signed 
by the Transaction Authority to ensure that it is equal to the value for the transaction received in 
the Authorization Structure, using the output of the hash-of-hashes process as input to check the 
signature on the hash-of-hashes process; if the produced hash-of-hashes string matches the 
hashed string signed by the Transaction Authority, then assuming that the request is authorized; 
and reporting the result {see fig IQ 4, 12A, 12B, 15B, 16, 26, 30, 35, column 15 lines 10-16 line 
33, 1 7 lines 8-18 line 34), Rowney et al fail to teach an inventive concept of receiving an 
electronic document representing a transaction, associated transaction details being signed by a 
Transaction Authority, a collection of role certificates certifying named roles signed by a Role 
Authority, the transaction details signed by each of the signing keys corresponding to the 
verification keys in the role certificates, and the Authorization Structure. However, Patel teach an 
inventive concept of receiving an electronic document representing a transaction, associated 
transaction details being signed by a Transaction Authority, a collection of role certificates 
certifying named roles signed by a Role Authority, the transaction details signed by each of the 
signing keys corresponding to the verification keys in the role certificates, and the Authorization 
Structure, {see abstract, paragraph 0011), Therefore, it would have been obvious to one of 
ordinary skill in the art at the time the invention was made to modify the inventive concept of 
Rowney et al to include Patel' s receiving an electronic document representing a transaction, 
associated transaction details being signed by a Transaction Authority, a collection of role 
certificates certifying named roles signed by a Role Authority, the transaction details signed by 
each of the signing keys corresponding to the verification keys in the role certificates, and the 
Authorization Structure, because this would have been desirable to use digital signature and 
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certificate mechanisms to encode industry-wide security policy and authorization information 
into the signatures and certificates in order to permit the verifier of a signature to decide whether 
to accept the signature or certificate as vaUd, thus accommodating and easing electronic 
conmierce business transactions. 



Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS fi-om the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated fi-om the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS firom the date of this 
final action. 

Any inquiry concerning this conraiunication or earlier commxmications fi-om the 
examiner should be directed to Firmin Backer whose telephone number is (703) 305-0624. The 
examiner can normally be reached on Mon-Thu 9:00 AM - 5:00 PM. 



Conclusion 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, James Trammell can be reached on (703) 305-9768. The fax phone niunber for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




May 20, 2004 



